How to handle Ransom ware

Hi,
Most of the files (Word/Excel/Access/PDF) on my server is infected by ZEPTO virus. The backup device do not have the latest files. So I am considering paying the ransom money, We don't have much option even if there is no grantee.
Having said that, did anyone try to pay these virus developer "bitcoin dollars" and successfully decry-pt infected files?
Any advise in terms of how to deal with these people?
I have the screenshot of the message (where it shows the URL to receive my private key along with additional steps to try and it had "personal identification ID: xxxxx!!!". I can post it if you like to see it.
Thanks in advance.Zepto-virus.PNG

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Yes and No. There is no gurantee the decryption tool will work 100% and not corrupt the files. Importantly, it does not state that it will not return to reinfect or clean off the machine after payment.

Strongly encourage to not paying ransom though unfortunately, at this time there is still no way to decrypt Zepto/Locky encrypted folder for free.

Meanwhile, I hope you consider below moving ahead.

Disconnect the infected machine.

Change your password esp those using the same in social site and web email etc.

Recover whatever is possible form your working backup.

Rescan using another alternate scan besides using AV and I suggest Malwarebytes Anti-Malware or Anti-exploit and HitmanPro.Alert

Turn on Applocker for whitelisting of application if you have, otherwise consider Cryptoprevent (foolishIT) or SecureAPlus. Disable active macro in use of MS Office.

Have another Anti-ransomware software such as Malwarebytes Anti-ransomware or Winpatrol Winantiransom.

Spend more time in user education on cyber hygience, looking out for phished link, website, email and use og unknown thumbdrives.

Dont use admin account by default for user.

0

sgleeAuthor Commented: 2016-09-23

Any particular tactic worthy noting from the articles you have read? Like paying partial ransom money for partial recovery ... not exactly but something like that. Or you just have to pay what they asking and hope for the best?

The latter. Pay what they ask and hope. That is all you can do. Articles are hearsay so no real value here.

0

sgleeAuthor Commented: 2016-09-23

@btan
I will update user password.
"There is no gurantee the decryption tool will work 100% and not corrupt the files. Importantly, it does not state that it will not return to reinfect or clean off the machine after payment." ---> I am with you 100%. But as much as I hate to try this option, this is only option that I have. I can't think about what might happen after files are decrypted at this point. I will think about that later. But for now I need to find the way to decrypt these files.

If no backup and recovery attempt is futile then the last resort as mentioned in payment.

To receive the unique private key, the infected user is told to visit one of several available Tor pages listed in these ransom notes. The person will eventually navigate to the “Locky Decryptor Page” containing the Bitcoin address, to which they are supposed to send about 0.5 BTC, which roughly equals to $300. While the uncomforting option of paying the ransom it may seem to be the only way out.

0

sgleeAuthor Commented: 2016-09-23

"send about 0.5 BTC, which roughly equals to $300" --> We traced that site and the amount was over 2k in our case.

You should NOT pay the ransom under any circumstances. You are funding criminals. The more money they make the more they are enabled to develop more sophisticated software to steal more money from more people. Additionally, these thieves are often associated with larger criminal organisations that use the money to fund their other illegal activities - extortion, kidnapping, murder. Do you really want to be funding that?

A recent advisory issued by the FBI strongly urges victims of ransomware not to pay the criminals.

The advisory quotes FBI Cyber Division Assistant Director James Trainor, who confirms that the bureau does not recommend paying extortionists:

“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

I would suggest you should not give money to them such easily, as that money can be used in wrong way. Few wrong example they gave but terrorism he missed which is imp. Your money can be used by such organisations.

If I would have been at your place, I will restore from what ever back I have and same money I will put to make Backup stronger so if some one try to screw me again I have my ass covered with latest Backup

may also try forensic recovery tools as some ransomware may have not secure wipe diligently - you have nothing to lose since all files are already locked. But some ransomware will start wiping out the encrypted files if ransom is due or as the deadline draws nearer. Stay composed and managed the fear mingling and mind games by those criminals...they ultimately only wants your ransom as the files are nothing to them...unless otherwise there is a hidden agenda from them.

If you don't have the current backup, just restore the old versions you still have backups of, and have your employees do the work again of what is lost, if needed. There just is no point at all in even thinking about paying the ransom. It is not worth it. If you pay, all you do is support the crooks so they can design even better viruses and extort even more money from others or from you again.